On Jun 19, 2026 Chi Wang <[email protected]> wrote:
> 
> Multiple readers access audit_queue.qlen via skb_queue_len() without
> holding the queue lock or using READ_ONCE(), while kauditd writes to
> this field via the skb_dequeue() → __skb_unlink() path with WRITE_ONCE()
> protected by a spinlock. This constitutes data races.
> 
> All affected skb_queue_len(&audit_queue) call sites:
>   - kauditd_thread() wait_event_freezable() condition
>   - audit_receive_msg() AUDIT_GET handler (s.backlog assignment)
>   - audit_receive() backlog check
>   - audit_log_start() backlog check and pr_warn()
> 
> KCSAN reports the following conflicting access pattern (one example):
> ==================================================================
> BUG: KCSAN: data-race in audit_log_start / skb_dequeue
> 
> write (marked) to 0xffffffff8512ee20 of 4 bytes by task 661 on cpu 57:
>  skb_dequeue+0x70/0xf0
>  kauditd_send_queue+0x71/0x220
>  kauditd_thread+0x1cb/0x430
>  kthread+0x1c2/0x210
>  ret_from_fork+0x162/0x1a0
>  ret_from_fork_asm+0x1a/0x30
> 
> read to 0xffffffff8512ee20 of 4 bytes by task 36586 on cpu 1:
>  audit_log_start+0x2a0/0x6b0
>  audit_core_dumps+0x64/0xa0
>  do_coredump+0x14b/0x1260
>  get_signal+0xeb2/0xf70
>  arch_do_signal_or_restart+0x41/0x170
>  exit_to_user_mode_loop+0xa2/0x1c0
>  do_syscall_64+0x1a3/0x1c0
>  entry_SYSCALL_64_after_hwframe+0x76/0xe0
> 
> value changed: 0x00000001 -> 0x00000000
> ==================================================================
> 
> Resolve the race by switching to lockless helper skb_queue_len_lockless(),
> which internally uses READ_ONCE() and properly pairs with the WRITE_ONCE()
> write accesses already present on the writer side.
> 
> Fixes: 3197542482df ("audit: rework audit_log_start()")
> Signed-off-by: Chi Wang <[email protected]>
> Cc: [email protected]
> Reviewed-by: Ricardo Robaina <[email protected]>
> ---
>  kernel/audit.c | 10 +++++-----
>  1 file changed, 5 insertions(+), 5 deletions(-)

Merged into stable-7.2, thanks.

--
paul-moore.com

Reply via email to